Skip to content
Permalink
Browse files Browse the repository at this point in the history
run: Don't allow chroot()
If we don't allow pivot_root() then there seems no reason why we should
allow chroot().

Partially fixes GHSA-67h7-w3jq-vh4q.

Signed-off-by: Simon McVittie <smcv@collabora.com>
  • Loading branch information
smcv authored and alexlarsson committed Oct 8, 2021
1 parent 1330662 commit 462fca2
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions common/flatpak-run.c
Expand Up @@ -2937,6 +2937,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
{SCMP_SYS (umount), EPERM},
{SCMP_SYS (umount2), EPERM},
{SCMP_SYS (pivot_root), EPERM},
{SCMP_SYS (chroot), EPERM},
#if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
/* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack
* and flags arguments are reversed so the flags come second */
Expand Down

4 comments on commit 462fca2

@igo95862
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't that break Firefox and Chromium?

igo95862/bubblejail@977f941

When I added syscall filter to my sandbox I discovered that Firefox and Chromium do not work without chroot.

@smcv
Copy link
Collaborator Author

@smcv smcv commented on 462fca2 Jan 26, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comments on commits are not very discoverable within the Github UI, so they are not a good way to handle issue reporting. If you believe there is a bug in Flatpak, please report it as an issue.

When Firefox and Chromium are run as Flatpak apps, I believe they use the subsandboxing interface (flatpak-spawn) instead of making their own sandbox from first principles.

Flatpak cannot safely allow sandboxed Flatpak apps to chroot(), because if they could do that, then they would be able to chroot() into a directory with their own crafted /.flatpak-info, leading to vulnerabilities similar to CVE-2021-41133.

@smcv
Copy link
Collaborator Author

@smcv smcv commented on 462fca2 Jan 26, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In practice Flatpak apps will not have CAP_SYS_CHROOT, so they should not be able to chroot() anyway, even before this commit.

@igo95862
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you believe there is a bug in Flatpak, please report it as an issue.

It is not a bug in Flatpak.

I am developing my own sandbox solution inspired by Flatpak.

I was reading Flatpak CVEs to find if my sandbox is also vulnerable to same issues and found this commit.

I recently added syscall filter and blocking chroot caused both Firefox and Chromium to fail.

I was wondering how Flatpak avoids same issue. I guess being a distribution platform on top of being a sandbox gives a privilege to patch software to better suit sandbox. My program has to settle with the distro provided binaries.

Please sign in to comment.